Cisco finds new zero-day exploit linked to NSA hackers

Network equipment vendor Cisco is finally warning its customers of another zero-day vulnerability the company discovered in the trove of NSA's hacking exploits and implants leaked by the group calling itself "The Shadow Brokers."

Last month, the Shadow Brokers published firewall exploits, implants, and hacking tools allegedly stolen from the NSA's Equation Group, which was designed to target major vendors including, Cisco, Juniper, and Fortinet.

A hacking exploit, dubbed ExtraBacon, leveraged a zero-day vulnerability (CVE-2016-6366) resided in the Simple Network Management Protocol (SNMP) code of Cisco ASA software that could allow remote attackers to cause a reload of the affected system or execute malicious code. Now Cisco has found another zero-day exploit, dubbed "Benigncertain," which targets PIX firewalls. Cisco analyzed the exploit and noted that it had not identified any new flaws related to this exploit in its current products.

But, further analysis of Benigncertain revealed that the exploit also affects Cisco products running IOS, IOS XE and IOS XR software. Benigncertain leveraged the vulnerability (CVE-2016-6415) that resides in the IKEv1 packet processing code and affects several Cisco devices running IOS operating system and all Cisco PIX firewalls.

IKE (Internet Key Exchange) is a protocol used for firewalls, to provide virtual private networks (VPNs), and even manage industrial control systems. A remote, unauthorized attacker could use this vulnerability to retrieve memory contents from traffic and disclose critical information such as RSA private keys and configuration information by sending specially crafted IKEv1 packets to affected devices.

"The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests," Cisco said in its advisory. Cisco's IOS operating system XR versions 4.3.x, 5.0.x, 5.1.x and 5.2.x, as well as PIX firewalls versions 6.x and earlier, are vulnerable to this flaw, though the company has not supported PIX since 2009.

Neither Cisco has developed a patch for the flaw, nor any workarounds are available. The company said the vulnerability is currently under exploit, advising its customers to employ intrusion detection system (IDS) and intrusion prevention systems (IPS) to help stop the attacks. Cisco promised to release software updates to patch CVE-2016-6415 but did not specify a time frame.